Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:30 AM
Connect Directly

The Biggest Threat? It May Be You

When it comes to virtual server security, you might just be the weak link. Or, more precisely, your lack of planning, maintenance, and governance of that VM server farm.

InformationWeek Supplement 6/22/2009, sponsored by Novell InformationWeek Green
Find out about more about virtualization and the cloud in our digital supplement, part of InformationWeek's Green Initiative to reduce our carbon footprint.
Download Now
(Registration required)

Illustration by Jupiterimages We're halfway through 2009, and still no reports of production hosts being hyperjacked, leaving servers at the mercy of a compromised hypervisor. So what about all those dire 2007 predictions of virtualization-fueled havoc from third-party APIs, virtual NIC drivers, guest escalation breakouts, or compromised hypervisors? Anyone?

The only real-world vulnerability related to virtualization that's been reported for a major vendor was Microsoft's hypervisor privilege escalation vulnerability on the embedded hypervisor running Xbox 360s from the 2006 model year. No vulnerabilities have hit Hyper-V or Virtual PC.

As virtualization has gone mainstream and virtual machines have sprawled across data centers over the past few years, IT and security pundits repeatedly raised the bogeyman of compromised hypervisors. Black Hat seminars continue to debate potential risks and exploits. Gartner predicted there would be a hypervisor vulnerability worthy of a patch by the end of last year. Did any of the 19 security patches that VMware released in 2008 count as patch-worthy? Of course they did. Whether any of them patched a likely real-world exploit is up for debate.

The reality is that virtualization is simply software. Tightly written bundles of highly efficient code, designed with a hard crunchy shell, but software nonetheless. As with any complex, widely adopted program, there have been code and design flaws, and there will be more.

Given that, what are the likely threats? Virtual servers are just servers. The hardware abstraction and flexibility inherent in virtualization yields untethered VMs that are easy to create, deploy, shelve, and, well, even lose track of. The biggest threats to your virtualized world aren't bad guys wielding BIOS viruses, mythical blue pills, or a dastardly new method of usurping control of underlying host platforms. Rather, the weakest link is your own lack of planning, care, maintenance, and governance over your Wild West, devil-may-care VM farm.

Shore Up Standard Defenses
There's a long list of security concerns in small and large virtualized shops. You should be concerned about potential exploits allowing guest VMs to break out of their jails and into the host or hypervisor tier, says Greg Shipley, CTO at information security consulting firm Neohapsis, but you should be more concerned about unpatched guest VMs lurking forgotten on a test host or shuttling from host to host via poor live migration rule sets. Hyperjacking and intrahost risks are concerns, "but is that the right battle to fight?" he asks.

Just about everyone can benefit from basic risk management thinking, where the likelihood of a threat is plotted against the potential impact and remediation effort and cost, Shipley says. Most companies have basic security design and infrastructure concerns that arch over physical and virtualized environments. As boring as it sounds, addressing those security concerns will have a greater impact on overall safety than any single-purpose VM tool. Put another way, focusing on VM-specific solutions is premature if your physical shop is at risk.

Any unpatched server is a security risk, and a test or production VM, with management authority delegated to a business unit or development team, is a serious risk. Even if you have an automated patch management system or a formal in-house patch management strategy, you probably aren't 100% certain that all your VMs' OS and application instances are up to date. Attackers will probe your network for common exploits, and an unpatched Win2K3 server with a known hole is an easy mark. Bad guys don't care if the server is physical or virtual. They're just looking for exploitable targets.

Traditional automated patching strategies don't take offline servers into consideration. In the physical world, a dark server is a dead one. But in the virtual world, suspended or archived servers can be updated via virtualization-aware patch management tools. VM templates and base images also have to be maintained and patched. Lacking these tools, shops should vet each VM to check for currency and compliance, applying all patches before releasing a guest server to production.

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...